On Аўт, 17 сне 2024, P M via FreeIPA-users wrote:
Hi, I request a new cert signed by my CA on Free IPA server (v. 4.12.2). I've used ybico-piv-tool to generate pub key (RSA 2048) and CSR with commands:# yubico-piv-tool --key=$KEY -a generate -s 9a -A RSA2048 -o pub.pem # yubico-piv-tool -a verify -a request -s 9a -P $PIN -S testuser -i pub.pem -o req.pem # ipa cert-request --profile-id=caIPAuserCert --principal testuser req.pem # yubico-piv-tool --key=$KEY -a import-certificate -i cert.pem -s 9a Successfully generated a certificate request. # yubico-piv-tool -astatus ---------- Version: 5.2.4 Serial Number: 13650097 CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb3410d8c945bb687fce09b0aabace3e5aee54350832303330303130313e00fe00 CCC: f015a000000116ff02d5ed3808a889ef7813b255513e49f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00 Slot 9a: Algorithm: RSA2048 Subject DN: O=EXAMPLE.COM, CN=testuser Issuer DN: O=EXAMPLE.COM, CN=Certificate Authority Fingerprint: b3734e2d6b4f564096b8d23349ce327468212088511808771fc2dcaef955cb6c Not Before: Dec 17 12:30:24 2024 GMT Not After: Dec 18 12:30:24 2026 GMT PIN tries left: 3 -------- Everything looks good and no issues while generating cert. But while try to authenticate via kinit I've got error like below: # KRB5_TRACE=/dev/stderr kinit -X 'X509_user_identity=PKCS11:module_name=opensc-pkcs11.so:slotid=0:certid=01' [email protected] --------------------- [1806878] 1734439236.12071: Getting initial credentials for [email protected] [1806878] 1734439236.12073: Sending unauthenticated request [1806878] 1734439236.12074: Sending request (216 bytes) to EXAMPLE.COM [1806878] 1734439236.12075: Initiating TCP connection to stream 92.117.239.216:88 [1806878] 1734439236.12076: Sending TCP request to stream 92.117.239.216:88 [1806878] 1734439236.12077: Received answer (572 bytes) from stream 92.117.239.216:88 [1806878] 1734439236.12078: Terminating TCP connection to stream 92.117.239.216:88 [1806878] 1734439236.12079: Response was from master KDC [1806878] 1734439236.12080: Received error from KDC: -1765328359/Additional pre-authentication required [1806878] 1734439236.12083: Preauthenticating using KDC method data [1806878] 1734439236.12084: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [1806878] 1734439236.12085: Selected etype info: etype aes256-cts, salt "54=HJ*K8W$[yd5%9", params "" [1806878] 1734439236.12086: Received cookie: MIT1\x00\x00\x00\x01I\x12\xb1M+\xf8\x98\\xe3\x83\x9ds\xaa\x9b\xbe\xa6\x14\xb4\xbd\x0c\xcf\x03\xe6Y\xcf\xad\x9bN\xd2\x199\xe5y\xdd\xe5e\xda\xa4\xcf*.\xdfP\x19\xc2\xff\x97\x1a\xd0\x12\xd777\xa5\xab\xff\x17\x9e\xf9\xeb\x84\xf7\xff^\x7f\xaab \x9b\xc2\xf2\xb8\xdf\xd7*x0Pb\xbcw(`\x18\x92mx\x06~\xa2\x97(\x9b\x81\xac\xb4\x924\xee\xb2\xad\xb4\\x0d\xbb\xd96\xb9<\x96\xacN\xed\x85=\xb1\xb2H=I\x9a\xf60^\xd3\xe8\xbc\xd5..X\xa1\x1b\x8c\xc7\x04\x84\xd0\xf5\xc9*y [1806878] 1734439239.509152: Preauth module pkinit (147) (info) returned: 0/Success [1806878] 1734439239.509153: PKINIT client received freshness token from KDC [1806878] 1734439239.509154: Preauth module pkinit (150) (info) returned: 0/Success testuser PIN: ****** [1806878] 1734439246.189952: PKINIT loading CA certs and CRLs from FILE [1806878] 1734439246.189953: PKINIT loading CA certs and CRLs from FILE [1806878] 1734439246.189954: PKINIT client computed kdc-req-body checksum 9/7D1E16CF5D1D663387C325C75ED56758D8071597 [1806878] 1734439246.189956: PKINIT client making DH request [1806878] 1734439246.189957: Preauth module pkinit (16) (real) returned: 0/Success [1806878] 1734439246.189958: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [1806878] 1734439246.189959: Sending request (3288 bytes) to EXAMPLE.COM [1806878] 1734439246.189960: Initiating TCP connection to stream 92.117.239.216:88 [1806878] 1734439246.189961: Sending TCP request to stream 92.117.239.216:88 [1806878] 1734439246.189962: Received answer (195 bytes) from stream 92.117.239.216:88 [1806878] 1734439246.189963: Terminating TCP connection to stream 92.117.239.216:88 [1806878] 1734439246.189964: Response was from master KDC [1806878] 1734439246.189965: Received error from KDC: -1765328304/Digest in signed-data not accepted kinit: Digest in signed-data not accepted while getting initial credentials -------------------------------------- Any suggestions what can be wrong ? On my old IPA server (v. 4.6.8) everything works fine.
What OS is this? Basically, PKINIT preauthentication plugin runs verification of the CMS signatures and it fails in a way other than verification of the certificates. It most likely means your certificate or a client is using a signature that is not allowed on the system where this verification happened, e.g. at the KDC side. Also, it would help to know what crypto policy is defined on the KDC side, check with `update-crypto-policies --show` and `update-crypto-policies --check` Finally, please provide details about your user certificate. There is typically an issue with SHA-1 being used for signatures but disabled in the crypto policy. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
